django-project-core-settings 0.1.0

Production-ready modular Django settings with strong security defaults

django-project-core-settings

Production-ready, modular, and secure Django settings package.

This package provides a clean, maintainable, and highly secure base configuration for Django projects. It follows Django best practices and OWASP recommendations, making it easy to start new projects with strong security defaults.

Features

• Fully environment-driven configuration using .env
• Modular architecture — settings split into logical components
• Multiple environments support: dev, prod, and local
• Strong security defaults:
  • HSTS with preload
  • Secure cookies (HttpOnly, SameSite=Strict)
  • CSP (Content Security Policy)
  • Argon2 password hashing
  • Brute-force protection (django-axes)
  • Rate limiting (django-ratelimit)
• Structured JSON logging (app, security, and error logs)
• WhiteNoise integration for static files
• Redis cache support
• Easy extensibility via EXTRA_INSTALLED_APPS and EXTRA_MIDDLEWARE
• SAUTH ready (custom authentication app)

Installation

pip install django-project-core-settings

Quick Start

Create your project settings file:

# myproject/settings.py
from django_project_core_settings import *

from django_project_core_settings.utils.env import get_list_env

# === Extend with your apps ===
INSTALLED_APPS += [
    'users',
    # 'blog',
    # 'portfolio',
    # 'ckeditor',
]

MIDDLEWARE += [
    # 'your.middleware.Class',
]

# === Common overrides ===
LOGIN_REDIRECT_URL = '/dashboard/'
ROOT_URLCONF = 'config.urls'
WSGI_APPLICATION = 'config.wsgi.application'

# === Security & Domain ===
ALLOWED_HOSTS = get_list_env("ALLOWED_HOSTS", ["localhost", "127.0.0.1"])

# Add frontend domains if needed
CSRF_TRUSTED_ORIGINS += [
    "https://your-frontend.com",
]

# === default SAUTH config (can be overridden in dev/prod) ===
SAUTH = {
    "LOGIN_REDIRECT": "/dashboard/",
    "LOGOUT_REDIRECT": "/auth/login/",
    "ROLES": {
        "admin": "/dashboard/admin/",
        "staff": "/dashboard/staff/",
        "moderator": "/dashboard/moderator/",
        "user": "/dashboard/",
    },
    "UI_FRAMEWORK": "tailwind",
    "RATE_LIMIT": {
        "LOGIN": "10/m",
        "REGISTER": "5/m",
    },
}
# =============================================
# === SAUTH Customization ===
SAUTH['ROLES'].update({
    'editor': '/dashboard/editor/',
    'author': '/dashboard/author/',
})

# Obscure admin URL
ADMIN_URL = 'hidden-admin-xyz123/'
# on your URL
# urlpatterns = [
#     path(settings.ADMIN_URL, admin.site.urls),
# ]

# Additinal settings can be added here as needed
# E.g.
# Admin security
ADMIN_IP_WHITELIST = get_list_env("ADMIN_IP_WHITELIST", default=[])
mw = 'core.middleware.admin_security.AdminIPWhitelistMiddleware'
if mw not in MIDDLEWARE:
    MIDDLEWARE.append(mw)
# Create these middleware and logic to restrict access to admin based on IP whitelist
# myproject/core/middleware/admin_security.py
'''
# core/middleware/admin_security.py
from django.conf import settings
from django.http import HttpResponseForbidden
from django_sauth.security.audit.logger import get_client_ip, audit_logger
class AdminIPWhitelistMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response
        self.admin_path = f"/{settings.ADMIN_URL.strip('/')}/"
    def __call__(self, request):
        # ✅ Skip in development
        # if settings.DEBUG:
        #     return self.get_response(request)
        path = request.path.rstrip("/") + "/"
        if path.startswith(self.admin_path):
            allowed_ips = [ip.strip() for ip in settings.ADMIN_IP_WHITELIST if ip.strip()]
            if allowed_ips:
                client_ip = get_client_ip(request)
                if client_ip not in allowed_ips:
                    audit_logger.warning(
                        "admin_access_blocked",
                        extra={"ip": client_ip, "path": request.path}
                    )
                    return HttpResponseForbidden("Forbidden")
        return self.get_response(request)'''

Environment Variables (.env)

# dev | prod | local
DJANGO_ENV=dev                    
SECRET_KEY='your-secret-key'
ALLOWED_HOSTS=localhost,127.0.0.1,yourdomain.com
CSRF_TRUSTED_ORIGINS=http://localhost:8000,https://yourdomain.com
REDIS_URL=redis://127.0.0.1:6379/1

EMAIL_HOST=smtp.gmail.com
EMAIL_USER=your-email@gmail.com
EMAIL_PASS=your-app-password

ADMIN_IP_WHITELIST=127.0.0.1,192.168.68.100

Run Commands

# Development
DJANGO_ENV=dev python manage.py runserver

# Production check
DJANGO_ENV=prod python manage.py check

# Local development with debug tools
DJANGO_ENV=local python manage.py runserver

Project Structure

django_project_core_settings/
├── base.py
├── dev.py
├── prod.py
├── local.py
├── components/
│   ├── apps.py
│   ├── auth.py
│   ├── security.py
│   ├── logging.py
│   └── ...
└── utils/
    └── env.py

What You Can Override

Safe to override:

• ALLOWED_HOSTS, CSRF_TRUSTED_ORIGINS
• SAUTH['ROLES']
• LOGIN_REDIRECT_URL, ROOT_URLCONF, etc.

Do NOT override directly:

• SECRET_KEY
• AUTH_USER_MODEL
• AUTHENTICATION_BACKENDS
• Core security headers (HSTS, secure cookies, etc.)
• MIDDLEWARE and INSTALLED_APPS base lists (use MIDDLEWARE += [], INSTALLED_APPS += [] instead)

See full documentation: SETTINGS.md

Logging

The package provides three log files in the logs/ directory:

• app.log — General application logs
• security.log — Authentication, rate limiting, and security events (JSON in production)
• error.log — Error tracking

Requirements

• Python 3.10+
• Django 4.2+
• whitenoise, django-axes, django-ratelimit, django-redis, python-json-logger

License

MIT License

Author

Wilfred